The Safe Mac

Follow The Safe Mac on Twitter to stay advised of the latest Mac security news!


MacDefender variants slip past security software

Posted on June 3rd, 2011 at 7:27 AM EST

More and more reports of new variants of MacProtector, including one now called MacShield, are circulating the internet.  Some of them appear to have been modified just enough to be able to slip past some anti-virus (AV) software.  Although AV software is constantly being updated to catch these new variants, it’s a game of catch-up.

It is important for Mac users to do two things.  First is to be vigilant.  If you get alerts about viruses, don’t panic.  That’s just what these hackers want you to do.  Do not run the installer, if it is downloaded, and if it runs, don’t click the Install button.  As long as you don’t do that, you’re not infected.

Second, if it slipped past AV software, submit the installer to AV vendors so they can more quickly update their definitions.  I highly recommend submitting to the ClamAV project, which is a volunteer project and thus needs everyone’s assistance.  Make sure to include the text “macosx” (no spaces) in the description so that the Mac folks can find those submissions among the floods of Windows malware that get submitted every day.

This post is more than 30 days old and has been locked. No further comments are allowed.


Apple releases security update for MacDefender

Posted on May 31st, 2011 at 7:22 PM EST

Apple released Security Update 2011-003 today, addressing the MacDefender issue.  According to Apple’s documentation on this update, there are three basic additions to assist in dealing with the MacDefender outbreak.  Before reading further, it may be worthwhile to read my Mac Virus Guide, to understand some of the fundamental ideas involved, and Apple’s own document on quarantine.

Read the rest of this entry »

1 Comment


Yet another MacDefender variant: MacGuard

Posted on May 25th, 2011 at 7:34 PM EST

Another new trojan has appeared in the MacDefender/MacSecurity/MacProtector line.  This time it’s called MacGuard.  From the initial reports, it does not sound like it is significantly different in most respects from the earlier versions.  However, there is one notable difference: it no longer requires an administrative password to install.  I am unclear on this point exactly why…  some sites report that it is installed in the user Applications folder rather than the global one, while others give uninstall instructions that refer to the main Applications folder.  I will report more as I learn more, but for now it appears that the same old MacProtector removal instructions will work, with minor modifications.  First, and obviously, you need to look for the name MacGuard in addition to the other three when removing.  Second, look in both the main Applications folder and the one in your user folder and remove MacGuard from wherever it is.

If anyone has additional information, please let me know, and if anyone finds a live link to the malware, please let me know so I can get a copy of it.

1 Comment


Apple responds to MacDefender

Posted on May 24th, 2011 at 9:27 PM EST

Apple posted their own support document today, titled How to avoid or remove Mac Defender malware, in which they describe how to respond to this malware.  Their removal instructions are essentially identical to what I’ve outlined in Identifying and removing MacDefender trojans, which should be reassuring to those who have followed my guidelines.  Even more reassuring is the fact that the article refers to a soon-to-come software update to help combat MacDefender and its variants.  Whether this will come in the form of another update to Quarantine or whether they plan to develop a different response to this particular threat is something that only time will tell.  Regardless, this promise of action should ease users’ minds, especially in the wake of rumors that Apple support techs have been told not to handle MacDefender issues, though some may criticize Apple for not taking swifter action.

This post is more than 30 days old and has been locked. No further comments are allowed.


Identifying and removing MacDefender trojans

Posted on May 7th, 2011 at 2:08 PM EST

[Edited Thursday, May 26, 9:20 PM]

A lot of people are being affected by MacDefender, or one of the variants of MacDefender (MacSecurity, MacProtector and MacGuard, at this time, possibly more in the future).  As a result, I’m getting a lot of questions from people about how to tell if they’re infected, how to get rid of the trojan and what else they need to worry about.  Hopefully, I will answer all those questions and more here.  For those unfamiliar with these trojans, see my previous MacDefender news posts. Read the rest of this entry »

112 Comments


MacProtector is yet another MacDefender variant

Posted on May 7th, 2011 at 7:04 AM EST

A number of people are reporting yet another MacDefender variant this morning.  This time, it’s named MacProtector, but it sounds like the method of operation is the same.  Mac users should be on their guard against an attack of this type, regardless of the name.  (If you haven’t been following along, see all my coverage of the MacDefender trojan.)

If anyone can send me a link where MacProtect can be found, so I can verify that it behaves the same as MacDefender, please do!

Edit: Thanks to pieinoz for pointing me to just the right search terms to use on Google Images to find MacProtector.  As I suspected, it does appear to be nothing more than a variant of MacDefender.  After updating my ClamXav definitions this morning, I found that it will detect both MacSecurity and MacProtector.

9 Comments


New MacDefender variant: MacSecurity

Posted on May 6th, 2011 at 12:53 PM EST

A new variant of MacDefender has appeared, called MacSecurity.  The name is different, as is the appearance of the fake “anti-virus scan” website.  However, in all other respects, it is the same as MacDefender, as far as I can tell.

Read the rest of this entry »

3 Comments


MacDefender malware still rampant in Google Images

Posted on May 6th, 2011 at 9:02 AM EST

For those who have been following news coverage of the new MacDefender trojan, first discovered last weekend, you will know that its primary vector for transmission was apparently Google Images.  Unfortunately, poisoning of Google Images’ cache has apparently not changed, and if anything, may have gotten worse.  I had previously been unable to locate a copy of MacDefender, even on Google Images.  I only got hold of a copy because a reader contacted me privately with information on where to find it.  Last night, however, as I was doing some searches on Google Images, I came across MacDefender scam sites no less than 5 times in 15 minutes. Read the rest of this entry »

This post is more than 30 days old and has been locked. No further comments are allowed.


MacDefender in action

Posted on May 3rd, 2011 at 7:40 AM EST

I have located a copy of the MacDefender trojan (thanks to Linc Davis, who sent me the link) and have done some testing myself.  Below is a detailed account of my experiences with it, as a continuing addition to previous news on this issue on my blog. Read the rest of this entry »

6 Comments


MacDefender news

Posted on May 2nd, 2011 at 7:12 AM EST

MacDefender has been noticed by the security companies this morning.  Intego reps are posting on Apple Support Communities looking for samples of this trojan, and Intego has posted a blog entry describing what they have discovered.  Apparently, this trojan is somehow downloaded after people searching the Google Images database get redirected to a malicious site.  How the installer ends up running by itself is unknown, but may point to a security hole in Safari. Read the rest of this entry »

This post is more than 30 days old and has been locked. No further comments are allowed.


This page and all contents (unless otherwise noted) copyright 2011-2014 by Thomas Reed.
For questions or comments, please contact me.